rake-gem-maintenance 0.1.4 → 0.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 56b2317bfd8c0682d6ec738cec517684acbc61618a5cdabbae392f6b3af1585a
-  data.tar.gz: 0bc94e5f08ec7f816a23ad7d01afc947df12b14518f5a59c50984725aa3a4e67
+  metadata.gz: 6dc9985cb348ee5f79a3170eb6ef534b5fe8bc1aad6361be15178f883ba22767
+  data.tar.gz: e819c2d3f58a936c59fb8caf620f84e92dc68bf59cee8f592bb852c03d02de62
 SHA512:
-  metadata.gz: b7a7178dcae40451f051de63bb8cd64ad9559d5fa91a47cb1cf65cbd188db088e7cd1c88b6e06ac6b95947b5460d2d8a3f38ff6f778a9d327a418171cf5782e4
-  data.tar.gz: f714225b46c59edc8882db10fe26afded7eae11f89c06573b4a0fe5ac8effa9b312f945efe3df706989d3c9a1d3ee6513347b38b177052138b418c9ea355596f
+  metadata.gz: 43b4d7dec762bcefd6cd816f4c7a8c05a5e091929937f6e329801a6d4ff211fabdac4631f449d39501807b408f0f1411dc97637519857da49911cafa5bd108f6
+  data.tar.gz: 81d529473f1404940f0cc45d1011af5d1930506f972b2485cbe190f184cd53a820cbfaa683201ec0b8ef85e63f2d50714cf337780087a94704071a5ef82d735c

data/.woodpecker/publish.yml

@@ -0,0 +1,52 @@
+# publish.yml — build and publish rake-gem-maintenance to rubygems.org
+#
+# Triggers:
+#   - push to main (auto-publish on every merge)
+#   - manual (ad-hoc publish on demand)
+#
+# Required Woodpecker secrets (org-level cbp-org):
+#   rubygems_api_key    — rubygems.org API key (set at https://ci.cbp-org.internal)
+#   rubygems_otp_seed   — base32 TOTP seed for rubygems.org 2FA (already registered)
+#   badge_service_token — write token for badge.cbp-org.internal
+
+when:
+  event: [push, manual]
+  branch: main
+
+labels:
+  platform: linux
+
+clone:
+  git:
+    image: woodpeckerci/plugin-git:2.8.0
+    settings:
+      skip_verify: true
+
+steps:
+  - name: publish-gem
+    image: ruby:4.0.2-alpine
+    backend_options:
+      docker:
+        network_mode: host
+    environment:
+      GEM_HOST_API_KEY:
+        from_secret: rubygems_api_key
+      RUBYGEMS_OTP_SEED:
+        from_secret: rubygems_otp_seed
+    commands:
+      - apk add --no-cache build-base
+      - bundle install --jobs 4 --retry 3
+      - ruby scripts/ci_publish_rubygems.rb
+
+  - name: badge
+    image: docker-registry.cbp-org.internal/badge-reporter:latest
+    when:
+      status: [success, failure]
+    backend_options:
+      docker:
+        network_mode: host
+    environment:
+      BADGE_SECRET:
+        from_secret: badge_service_token
+    commands:
+      - badge report publish

data/.woodpecker/renew_api_key.yml

@@ -0,0 +1,47 @@
+when:
+  - event: cron
+    cron: monthly-renew-api-key
+  - event: manual
+
+labels:
+  platform: linux
+
+clone:
+  git:
+    image: woodpeckerci/plugin-git:2.8.0
+    settings:
+      skip_verify: true
+
+steps:
+  - name: renew-api-key
+    image: ruby:4.0.2-alpine
+    backend_options:
+      docker:
+        network_mode: host
+    environment:
+      RUBYGEMS_USERNAME:
+        from_secret: rubygems_username
+      RUBYGEMS_PASSWORD:
+        from_secret: rubygems_password
+      RUBYGEMS_OTP_SEED:
+        from_secret: rubygems_otp_seed
+      WOODPECKER_TOKEN:
+        from_secret: woodpecker_api_token
+      WOODPECKER_SERVER: "https://ci.cbp-org.internal"
+    commands:
+      - apk add --no-cache build-base
+      - bundle install --jobs 4 --retry 3
+      - bundle exec rake upgrade:renew_api_key
+
+  - name: badge
+    image: docker-registry.cbp-org.internal/badge-reporter:latest
+    when:
+      status: [success, failure]
+    backend_options:
+      docker:
+        network_mode: host
+    environment:
+      BADGE_SECRET:
+        from_secret: badge_service_token
+    commands:
+      - badge report renew-api-key

data/.woodpecker/verify.yml

@@ -0,0 +1,38 @@
+when:
+  event: [push, pull_request, manual]
+
+labels:
+  platform: linux
+
+clone:
+  git:
+    image: woodpeckerci/plugin-git:2.8.0
+    settings:
+      skip_verify: true
+
+steps:
+  - name: verify
+    image: ruby:4.0.2-alpine
+    backend_options:
+      docker:
+        network_mode: host
+    environment:
+      CUCUMBER_PUBLISH_QUIET: "true"
+    commands:
+      - apk add --no-cache build-base
+      - mkdir -p /root/.local/share/ruby-advisory-db/gems
+      - bundle install --jobs 4 --retry 3
+      - bundle exec rake verify
+
+  - name: badge
+    image: docker-registry.cbp-org.internal/badge-reporter:latest
+    when:
+      status: [success, failure]
+    backend_options:
+      docker:
+        network_mode: host
+    environment:
+      BADGE_SECRET:
+        from_secret: badge_service_token
+    commands:
+      - badge report verify

data/CLAUDE.md

@@ -54,6 +54,20 @@ Rake::GemMaintenance::UpgradeTask.new do |t|
 end
 ```
 
+## Repository & CI Workflow
+
+**GitHub** (`github.com/cbroult/rake-gem-maintenance`) is the canonical source.
+**Forgejo** (`git.cbp-org.internal/forgejo-admin/rake-gem-maintenance`) is a read-only pull mirror.
+
+- All pull requests go on **GitHub only**. Never open PRs on Forgejo.
+- Forgejo mirrors GitHub automatically every 10 minutes — never push to the `forgejo` remote manually.
+- **Woodpecker CI** (`ci.cbp-org.internal`) watches Forgejo and runs verify/publish/renew pipelines.
+- Local clone only needs the `origin` (GitHub) remote. Remove `forgejo` if present: `git remote remove forgejo`.
+
+## Code Style
+
+- Never add `# rubocop:disable` comments without explicit user permission.
+
 ## Commit Conventions
 
 - Use conventional commit format: `type(scope): subject`

data/Gemfile

@@ -12,6 +12,7 @@ gem "guard-cucumber"
 gem "guard-rspec"
 gem "guard-rubocop"
 gem "ostruct"
+gem "rdoc"
 gem "rspec"
 gem "rubocop"
 gem "rubocop-rake", require: false

data/Gemfile.lock

@@ -1,18 +1,20 @@
 PATH
   remote: .
   specs:
-    rake-gem-maintenance (0.1.4)
+    rake-gem-maintenance (0.1.6)
       bundler-audit
-      gem-release (~> 2.2)
-      rake (>= 13.0)
+      gem-release
+      rake
+      rotp
 
 GEM
   remote: https://rubygems.org/
   specs:
-    aruba (2.3.3)
+    aruba (2.4.0)
       bundler (>= 1.17)
       contracts (>= 0.16.0, < 0.18.0)
-      cucumber (>= 8.0, < 11.0)
+      cucumber (>= 8.0, < 12.0)
+      irb (~> 1.16)
       rspec-expectations (>= 3.4, < 5.0)
       thor (~> 1.0)
     ast (2.4.3)
@@ -24,18 +26,18 @@ GEM
       thor (~> 1.0)
     coderay (1.1.3)
     contracts (0.17.3)
-    cucumber (10.2.0)
+    cucumber (11.0.0)
       base64 (~> 0.2)
       builder (~> 3.2)
       cucumber-ci-environment (> 9, < 12)
-      cucumber-core (> 15, < 17)
+      cucumber-core (>= 16.2.0, < 17)
       cucumber-cucumber-expressions (> 17, < 20)
-      cucumber-html-formatter (> 21, < 23)
+      cucumber-html-formatter (> 21, < 24)
       diff-lcs (~> 1.5)
       logger (~> 1.6)
       mini_mime (~> 1.1)
       multi_test (~> 1.1)
-      sys-uname (~> 1.3)
+      sys-uname (~> 1.5)
     cucumber-ci-environment (11.0.0)
     cucumber-core (16.2.0)
       cucumber-gherkin (> 36, < 40)
@@ -43,14 +45,15 @@ GEM
       cucumber-tag-expressions (> 6, < 9)
     cucumber-cucumber-expressions (19.0.0)
       bigdecimal
-    cucumber-gherkin (39.0.0)
+    cucumber-gherkin (39.1.0)
       cucumber-messages (>= 31, < 33)
-    cucumber-html-formatter (22.3.0)
+    cucumber-html-formatter (23.1.0)
       cucumber-messages (> 23, < 33)
     cucumber-messages (32.3.1)
     cucumber-tag-expressions (8.1.0)
+    date (3.5.1)
     diff-lcs (1.6.2)
-    ffi (1.17.4-x64-mingw-ucrt)
+    erb (6.0.4)
     ffi (1.17.4-x86_64-linux-gnu)
     formatador (1.2.3)
       reline
@@ -81,7 +84,12 @@ GEM
       guard (~> 2.0)
       rubocop (< 2.0)
     io-console (0.8.2)
-    json (2.19.4)
+    irb (1.18.0)
+      pp (>= 0.6.0)
+      prism (>= 1.3.0)
+      rdoc (>= 4.0.0)
+      reline (>= 0.4.2)
+    json (2.19.5)
     language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
     listen (3.10.0)
@@ -103,20 +111,31 @@ GEM
     parser (3.3.11.1)
       ast (~> 2.4.1)
       racc
+    pp (0.6.3)
+      prettyprint
+    prettyprint (0.2.0)
     prism (1.9.0)
     pry (0.16.0)
       coderay (~> 1.1)
       method_source (~> 1.0)
       reline (>= 0.6.0)
+    psych (5.3.1)
+      date
+      stringio
     racc (1.8.1)
     rainbow (3.1.1)
     rake (13.4.2)
     rb-fsevent (0.11.2)
     rb-inotify (0.11.1)
       ffi (~> 1.0)
+    rdoc (7.2.0)
+      erb
+      psych (>= 4.0.0)
+      tsort
     regexp_parser (2.12.0)
     reline (0.6.3)
       io-console (~> 0.5)
+    rotp (6.3.0)
     rspec (3.13.2)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
@@ -130,7 +149,7 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-support (3.13.7)
-    rubocop (1.86.1)
+    rubocop (1.86.2)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -152,21 +171,17 @@ GEM
       rubocop (~> 1.81)
     ruby-progressbar (1.13.0)
     shellany (0.0.1)
+    stringio (3.2.0)
     sys-uname (1.5.1)
       ffi (~> 1.1)
       memoist3 (~> 1.0.0)
-    sys-uname (1.5.1-universal-mingw32)
-      ffi (~> 1.1)
-      memoist3 (~> 1.0.0)
-      win32ole
     thor (1.5.0)
+    tsort (0.2.0)
     unicode-display_width (3.2.0)
       unicode-emoji (~> 4.1)
     unicode-emoji (4.2.0)
-    win32ole (1.9.3)
 
 PLATFORMS
-  x64-mingw-ucrt
   x86_64-linux
 
 DEPENDENCIES
@@ -179,13 +194,14 @@ DEPENDENCIES
   guard-rubocop
   ostruct
   rake-gem-maintenance!
+  rdoc
   rspec
   rubocop
   rubocop-rake
   rubocop-rspec
 
 CHECKSUMS
-  aruba (2.3.3) sha256=837a2f023368a75a38ad9be227e9738ab9af7df3b3f35afd8fb5fc5f7a93f1d4
+  aruba (2.4.0) sha256=92bb696efb06b1aa1dc3ff8b13ca71cd727e59d27572f9264216b9722b558299
   ast (2.4.3) sha256=954615157c1d6a382bc27d690d973195e79db7f55e9765ac7c481c60bdb4d383
   base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
   bigdecimal (4.1.2) sha256=53d217666027eab4280346fba98e7d5b66baaae1b9c3c1c0ffe89d48188a3fbd
@@ -193,16 +209,17 @@ CHECKSUMS
   bundler-audit (0.9.3) sha256=81c8766c71e47d0d28a0f98c7eed028539f21a6ea3cd8f685eb6f42333c9b4e9
   coderay (1.1.3) sha256=dc530018a4684512f8f38143cd2a096c9f02a1fc2459edcfe534787a7fc77d4b
   contracts (0.17.3) sha256=e72e626413ea47099becb7b5683beb1c2ea902c69f5bad55c9258fe2b48314d7
-  cucumber (10.2.0) sha256=fdedbd31ecf40858b60f04853f2aa15c44f5c30bbac29c6a227fa1e7005a8158
+  cucumber (11.0.0) sha256=14bb964cc172999e9010fece2fad9f104044b055b3199230091894637a2a784c
   cucumber-ci-environment (11.0.0) sha256=0df79a9e1d0b015b3d9def680f989200d96fef206f4d19ccf86a338c4f71d1e2
   cucumber-core (16.2.0) sha256=592b58a95cf42feef8e5a349f68e363784ba3b6568ffbcf6776e38e136cf970b
   cucumber-cucumber-expressions (19.0.0) sha256=33208ff204732ac9bed42b46993a0a243054f71ece08579d57e53df6a1c9d93a
-  cucumber-gherkin (39.0.0) sha256=46f51d87e910f41c3c5cee3b500028ca2b2e7149a413a8280b9a58cee2593e55
-  cucumber-html-formatter (22.3.0) sha256=f9768ed05588dbd73a5f3824c2cc648bd86b00206e6972d743af8051281d0729
+  cucumber-gherkin (39.1.0) sha256=aed12a0c955d8563d80a012633c1a72075525f4d64d4cc983001df2181b379ed
+  cucumber-html-formatter (23.1.0) sha256=7789b4a792c876394b9604aeb66aa5cf4c61514473b7e712c76d5eaedcdd8cdf
   cucumber-messages (32.3.1) sha256=ddc88e4c1cf7afb96c06005b92a4a6f221a2fa435a8b4ca04677d215fd82771c
   cucumber-tag-expressions (8.1.0) sha256=9bd8c4b6654f8e5bf2a9c99329b6f32136a75e50cd39d4cfb3927d0fa9f52e21
+  date (3.5.1) sha256=750d06384d7b9c15d562c76291407d89e368dda4d4fff957eb94962d325a0dc0
   diff-lcs (1.6.2) sha256=9ae0d2cba7d4df3075fe8cd8602a8604993efc0dfa934cff568969efb1909962
-  ffi (1.17.4-x64-mingw-ucrt) sha256=f6ff9618cfccc494138bddade27aa06c74c6c7bc367a1ea1103d80c2fcb9ed35
+  erb (6.0.4) sha256=38e3803694be357fe2bfe312487c74beaf9fb4e5beb3e22498952fe1645b95d9
   ffi (1.17.4-x86_64-linux-gnu) sha256=9d3db14c2eae074b382fa9c083fe95aec6e0a1451da249eab096c34002bc752d
   formatador (1.2.3) sha256=19fa898133c2c26cdbb5d09f6998c1e137ad9427a046663e55adfe18b950d894
   gem-release (2.2.4) sha256=2f11124c1580c811507c3b47e875e420cf3ed792a98105b49df11971e6e94db3
@@ -213,7 +230,8 @@ CHECKSUMS
   guard-rspec (4.7.3) sha256=a47ba03cbd1e3c71e6ae8645cea97e203098a248aede507461a43e906e2f75ca
   guard-rubocop (1.5.0) sha256=3041d796dcb5ee31e352de74732250826f5f235b4ff48df9dbf424a6dc736251
   io-console (0.8.2) sha256=d6e3ae7a7cc7574f4b8893b4fca2162e57a825b223a177b7afa236c5ef9814cc
-  json (2.19.4) sha256=670a7d333fb3b18ca5b29cb255eb7bef099e40d88c02c80bd42a3f30fe5239ac
+  irb (1.18.0) sha256=de9454a0703a54704b9811a5ef31a60c86949fbf4013fcf244fabc7c775248e3
+  json (2.19.5) sha256=218a18553e4801d579ca7e0f5bc72bafd776d7397238a1fb4e74db5b0a812c59
   language_server-protocol (3.17.0.5) sha256=fd1e39a51a28bf3eec959379985a72e296e9f9acfce46f6a79d31ca8760803cc
   lint_roller (1.1.0) sha256=2c0c845b632a7d172cb849cc90c1bce937a28c5c8ccccb50dfd46a485003cc87
   listen (3.10.0) sha256=c6e182db62143aeccc2e1960033bebe7445309c7272061979bb098d03760c9d2
@@ -228,33 +246,38 @@ CHECKSUMS
   ostruct (0.6.3) sha256=95a2ed4a4bd1d190784e666b47b2d3f078e4a9efda2fccf18f84ddc6538ed912
   parallel (2.1.0) sha256=b35258865c2e31134c5ecb708beaaf6772adf9d5efae28e93e99260877b09356
   parser (3.3.11.1) sha256=d17ace7aabe3e72c3cc94043714be27cc6f852f104d81aa284c2281aecc65d54
+  pp (0.6.3) sha256=2951d514450b93ccfeb1df7d021cae0da16e0a7f95ee1e2273719669d0ab9df6
+  prettyprint (0.2.0) sha256=2bc9e15581a94742064a3cc8b0fb9d45aae3d03a1baa6ef80922627a0766f193
   prism (1.9.0) sha256=7b530c6a9f92c24300014919c9dcbc055bf4cdf51ec30aed099b06cd6674ef85
   pry (0.16.0) sha256=d76c69065698ed1f85e717bd33d7942c38a50868f6b0673c636192b3d1b6054e
+  psych (5.3.1) sha256=eb7a57cef10c9d70173ff74e739d843ac3b2c019a003de48447b2963d81b1974
   racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f
   rainbow (3.1.1) sha256=039491aa3a89f42efa1d6dec2fc4e62ede96eb6acd95e52f1ad581182b79bc6a
   rake (13.4.2) sha256=cb825b2bd5f1f8e91ca37bddb4b9aaf345551b4731da62949be002fa89283701
-  rake-gem-maintenance (0.1.4)
+  rake-gem-maintenance (0.1.6)
   rb-fsevent (0.11.2) sha256=43900b972e7301d6570f64b850a5aa67833ee7d87b458ee92805d56b7318aefe
   rb-inotify (0.11.1) sha256=a0a700441239b0ff18eb65e3866236cd78613d6b9f78fea1f9ac47a85e47be6e
+  rdoc (7.2.0) sha256=8650f76cd4009c3b54955eb5d7e3a075c60a57276766ebf36f9085e8c9f23192
   regexp_parser (2.12.0) sha256=35a916a1d63190ab5c9009457136ae5f3c0c7512d60291d0d1378ba18ce08ebb
   reline (0.6.3) sha256=1198b04973565b36ec0f11542ab3f5cfeeec34823f4e54cebde90968092b1835
+  rotp (6.3.0) sha256=75d40087e65ed0d8022c33055a6306c1c400d1c12261932533b5d6cbcd868854
   rspec (3.13.2) sha256=206284a08ad798e61f86d7ca3e376718d52c0bc944626b2349266f239f820587
   rspec-core (3.13.6) sha256=a8823c6411667b60a8bca135364351dda34cd55e44ff94c4be4633b37d828b2d
   rspec-expectations (3.13.5) sha256=33a4d3a1d95060aea4c94e9f237030a8f9eae5615e9bd85718fe3a09e4b58836
   rspec-mocks (3.13.8) sha256=086ad3d3d17533f4237643de0b5c42f04b66348c28bf6b9c2d3f4a3b01af1d47
   rspec-support (3.13.7) sha256=0640e5570872aafefd79867901deeeeb40b0c9875a36b983d85f54fb7381c47c
-  rubocop (1.86.1) sha256=44415f3f01d01a21e01132248d2fd0867572475b566ca188a0a42133a08d4531
+  rubocop (1.86.2) sha256=bb2e97f635eda42c448f2588f4a6ff78f221b8bdfdf65b1e9b07fbd57521b45d
   rubocop-ast (1.49.1) sha256=4412f3ee70f6fe4546cc489548e0f6fcf76cafcfa80fa03af67098ffed755035
   rubocop-rake (0.7.1) sha256=3797f2b6810c3e9df7376c26d5f44f3475eda59eb1adc38e6f62ecf027cbae4d
   rubocop-rspec (3.9.0) sha256=8fa70a3619408237d789aeecfb9beef40576acc855173e60939d63332fdb55e2
   ruby-progressbar (1.13.0) sha256=80fc9c47a9b640d6834e0dc7b3c94c9df37f08cb072b7761e4a71e22cff29b33
   shellany (0.0.1) sha256=0e127a9132698766d7e752e82cdac8250b6adbd09e6c0a7fbbb6f61964fedee7
+  stringio (3.2.0) sha256=c37cb2e58b4ffbd33fe5cd948c05934af997b36e0b6ca6fdf43afa234cf222e1
   sys-uname (1.5.1) sha256=784d7e6491b0393c25cbbe5ac38324ac7be9fda083a6094832648af669386d7b
-  sys-uname (1.5.1-universal-mingw32) sha256=aceb618e3276da5eae0ce368e9f6fae8c1f3e9ef23a0595cb88db7b6ecd45f62
   thor (1.5.0) sha256=e3a9e55fe857e44859ce104a84675ab6e8cd59c650a49106a05f55f136425e73
+  tsort (0.2.0) sha256=9650a793f6859a43b6641671278f79cfead60ac714148aabe4e3f0060480089f
   unicode-display_width (3.2.0) sha256=0cdd96b5681a5949cdbc2c55e7b420facae74c4aaf9a9815eee1087cb1853c42
   unicode-emoji (4.2.0) sha256=519e69150f75652e40bf736106cfbc8f0f73aa3fb6a65afe62fefa7f80b0f80f
-  win32ole (1.9.3) sha256=01f43dc5dc13806e6e58204f538b4a28f3d85968ea89074abc9a3cd118e94d96
 
 BUNDLED WITH
   4.0.4

data/README.md

@@ -46,6 +46,81 @@ Rake::GemMaintenance::VersionBumpTask.new do |t|
 end
 ```
 
+## Automated Publishing to rubygems.org
+
+Set two environment variables and `gem push` runs fully unattended — including TOTP 2FA code
+generation if your rubygems.org account has MFA enabled.
+
+| Env var | Purpose |
+|---|---|
+| `GEM_HOST_API_KEY` | rubygems.org API key (scoped to push) |
+| `RUBYGEMS_OTP_SEED` | Base32 TOTP seed — auto-generates the 2FA code; omit if MFA is disabled |
+
+### Quick setup
+
+`require "rake/gem_maintenance/install_tasks"` pre-configures both env var names automatically —
+no extra Ruby needed. See [features/install_tasks.feature](features/install_tasks.feature) for
+the full workflow.
+
+### Custom env var names
+
+```ruby
+require "rake/gem/maintenance"
+
+Rake::GemMaintenance::Repos.rubygems_api_key_env_var  = "MY_RUBYGEMS_KEY"
+Rake::GemMaintenance::Repos.rubygems_otp_seed_env_var = "MY_OTP_SEED"
+
+Rake::GemMaintenance::UpgradeTask.new
+```
+
+See [features/upgrade_task/repos_configuration.feature](features/upgrade_task/repos_configuration.feature)
+for all configuration options including geminabox and dual publishing.
+
+### Local credential store
+
+After the first successful `upgrade:renew_api_key` run, the API key and OTP seed are saved to:
+
+```
+~/.config/rake-gem-maintenance/credentials.yml   # Linux / Mac  (respects $XDG_CONFIG_HOME)
+%APPDATA%\rake-gem-maintenance\credentials.yml   # Windows
+```
+
+The file is created with `0600` permissions (owner-read-only on Unix). It stores `username`,
+`gem_host_api_key`, and `rubygems_otp_seed` — **never the password**. Any project using
+`require "rake/gem_maintenance/install_tasks"` automatically loads the key and OTP seed from
+this file at startup, so `gem push` works without any manual env-var setup.
+
+See [features/upgrade_task/credential_store.feature](features/upgrade_task/credential_store.feature)
+for the full behaviour specification.
+
+### API key renewal
+
+API keys can be rotated in two ways:
+
+**Automatic** — when `gem push` returns a 401/403, the publisher transparently obtains a new
+key using `RUBYGEMS_USERNAME` + `RUBYGEMS_PASSWORD` (+ TOTP from `RUBYGEMS_OTP_SEED` if MFA is
+enabled), then retries the push once. No intervention needed.
+
+**On-demand** — run the task explicitly to rotate ahead of expiry:
+
+```bash
+rake upgrade:renew_api_key
+```
+
+Locally this prompts for credentials interactively. In CI, supply all three env vars for
+unattended operation:
+
+| Env var | Purpose |
+|---|---|
+| `RUBYGEMS_USERNAME` | rubygems.org account username or email |
+| `RUBYGEMS_PASSWORD` | rubygems.org account password |
+| `RUBYGEMS_OTP_SEED` | Same TOTP seed as above — reused here to authenticate the key-creation request |
+
+The new key is written back to the `GEM_HOST_API_KEY` CI secret automatically (requires
+`WOODPECKER_TOKEN` and `WOODPECKER_SERVER` when running under Woodpecker CI).
+
+See [features/upgrade_task/renew_api_key.feature](features/upgrade_task/renew_api_key.feature).
+
 ## License
 
 The gem is available as open source under the terms of the [MIT License](LICENSE.txt).

data/lib/rake/gem/maintenance/api_key_renewer.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Rake
+  module GemMaintenance
+    # Renews a rubygems.org API key using credentials from env vars and
+    # persists the new key to Woodpecker CI when server details are available.
+    class ApiKeyRenewer
+      def initialize(otp_provider:,
+                     username_env_var: "RUBYGEMS_USERNAME",
+                     password_env_var: "RUBYGEMS_PASSWORD")
+        @otp_provider = otp_provider
+        @username_env_var = username_env_var
+        @password_env_var = password_env_var
+      end
+
+      def renew(repository)
+        username = env_credential(@username_env_var)
+        password = env_credential(@password_env_var)
+        return nil if username.nil? || password.nil?
+
+        otp = @otp_provider.otp_for(repository[:name], otp_seed_env_var: repository[:otp_seed_env_var])
+        new_key = RubyGemsApiKeyCreator.new(host: repository.fetch(:url, "https://rubygems.org"))
+                                       .create(username, password, otp: otp)
+        persist_to_woodpecker(new_key)
+        new_key
+      rescue StandardError
+        nil
+      end
+
+      private
+
+      def env_credential(var)
+        value = ENV.fetch(var, nil)
+        value&.empty? ? nil : value
+      end
+
+      def persist_to_woodpecker(new_key)
+        server = ENV.fetch("WOODPECKER_SERVER", nil)
+        token = ENV.fetch("WOODPECKER_TOKEN", nil)
+        return unless server && token
+
+        org = ENV.fetch("WOODPECKER_ORG", "cbp-org")
+        WoodpeckerSecretStore.new(server: server, org: org, token: token)
+                             .store("rubygems_api_key", new_key)
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance/ci_environment.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Rake
+  module GemMaintenance
+    # Detects whether the current process is running inside a CI environment.
+    module CIEnvironment
+      def self.ci?
+        ENV["CI"].to_s != ""
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance/credential_store.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require "yaml"
+require "fileutils"
+require "rubygems"
+
+module Rake
+  module GemMaintenance
+    # Persists rubygems.org credentials (username, API key, OTP seed) to a local config file.
+    class CredentialStore
+      def self.default_path
+        base = if Gem.win_platform?
+                 ENV.fetch("APPDATA", File.expand_path("~"))
+               else
+                 ENV.fetch("XDG_CONFIG_HOME", File.join(Dir.home, ".config"))
+               end
+        File.join(base, "rake-gem-maintenance", "credentials.yml")
+      end
+
+      def initialize(path: self.class.default_path)
+        @path = path
+      end
+
+      attr_reader :path
+
+      def read
+        return {} unless File.exist?(@path)
+
+        YAML.safe_load_file(@path, symbolize_names: true) || {}
+      rescue StandardError
+        {}
+      end
+
+      def write(credentials)
+        FileUtils.mkdir_p(File.dirname(@path))
+        File.write(@path, credentials.transform_keys(&:to_s).to_yaml)
+        File.chmod(0o600, @path) unless Gem.win_platform?
+      end
+
+      def apply_to_env(username_env_var:, api_key_env_var:)
+        creds = read
+        set_env_if_absent(username_env_var, creds[:username])
+        set_env_if_absent("RUBYGEMS_OTP_SEED", creds[:rubygems_otp_seed])
+        set_env_if_absent(api_key_env_var, creds[:gem_host_api_key])
+      end
+
+      def update(username:, api_key:, api_key_env_var:)
+        otp_seed = ENV.fetch("RUBYGEMS_OTP_SEED", nil)
+        updated = read.merge(username: username, gem_host_api_key: api_key)
+        updated[:rubygems_otp_seed] = otp_seed if otp_seed && !otp_seed.empty?
+        write(updated)
+        ENV[api_key_env_var] = api_key
+      end
+
+      private
+
+      def set_env_if_absent(env_var, value)
+        return unless value && !value.empty?
+        return if (existing = ENV.fetch(env_var, nil)) && !existing.empty?
+
+        ENV[env_var] = value
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance/gem_publisher.rb

@@ -9,8 +9,12 @@ module Rake
     class GemPublisher
       attr_reader :repositories, :warnings, :failed_repositories, :successful_repos
 
-      def initialize(repositories = default_repositories)
+      def initialize(repositories = default_repositories,
+                     otp_provider: OtpProvider.new,
+                     ci_environment: CIEnvironment)
         @repositories = repositories
+        @otp_provider = otp_provider
+        @ci_environment = ci_environment
         @warnings = []
         @failed_pushes = []
         @failed_repositories = []
@@ -76,16 +80,23 @@ module Rake
       end
 
       def push(gem_file, repository:)
-        cmd = "gem push #{gem_file} --host #{repository[:url]}"
-        result = system(cmd)
-        if result
-          @published_files << gem_file
-          @successful_repos << repository[:name]
-        end
+        result = GemPush.new(gem_file, repository, @otp_provider).attempt
+        return record_success(gem_file, repository) if result.success
+
+        record_push_failure(repository, result.error)
       rescue StandardError => e
         @failed_pushes << { repository: repository[:name], error: e.message }
       end
 
+      def record_success(gem_file, repository)
+        @published_files << gem_file
+        @successful_repos << repository[:name]
+      end
+
+      def record_push_failure(repository, message)
+        @failed_pushes << { repository: repository[:name], error: message.strip }
+      end
+
       def version_exists_on_all_repos?(gem_name, version)
         repositories.all? do |repo|
           versions_on_repository(gem_name, repo).include?(version.to_s)